Friday, 20 February 2009

DMZ for Legacy applications?

The majority of enterprises have the habit of forgetting one or more Legacy applications are running out of date software and perhaps even unsupported version and due to design reason can’t be upgraded.

By design I mean ether the program was poorly written and won’t run even in compatibility mode on later versions as the Developer didn’t use coding standards.

Trust me when I say 90% of the time developers seem blissfully unaware there is even such a thing as standard practice to developing.

Or the software house no longer exists, the reasons are numerous but the outcome is the same you have a hole in your security.

Out of data version of software make you vulnerable to code exploits, DoS and other well known attacks on these applications.

Remember that you have just as many security risks in your company as outside of it.

So to better secure your application and avoid security breaches or DoS attacks place the older application into a DMZ in the same way you would with web server or email server so that you can control the traffic that is going to and from them. (Don’t put them in the same DMZ as your public facing servers such as web and email or the network administrator from hell will eat your soul!!!) ok he won't but I needed to make it clear to you. Put them in a separate DMZ for internal use only.

Remember that limiting the ports and destinations of the traffic will make it far more secure; it is also good practice to limit the way traffic flows on your LAN, where possible place all application servers into a DMZ or at least limit on the switches or VLAN’s the traffic flowing between them.

OK enough theory now for real life example… company has old in house application that runs the report for managers on projected sales nothing special in that but its running of a visual basic application with a SQL backend, so far nothing special however the SQL server is version 7.0 that is no longer supported or patched, the developer made some coding in the database that stops the reports from working in later version and the developer no longer works for the company so we need to keep it for now.

Using well known exploits I when from having a user account with limited access to SA access in just under 20minutes (thanks to Google) no deep SQL knowledge needed just some light reading, just type the version and word exploit and your halfway done.

After some meetings it was shown that if you had only the visual basic application accessing SQL on what is well known ports we could prevent 98% or the attacks, still not built proof but much better than a before.

So remember DMZ’s are not just for public facing services, as half the security risk in working on your network.

No comments: